NEW QUESTION 1

Refer to the exhibit.

Given the interfaces shown in the exhibit. which two statements are true? (Choose two.)

• A. Traffic between port2 and port2-vlan1 is allowed by default.
• B. port1-vlan10 and port2-vlan10 are part of the same broadcast domain.
• C. port1 is a native VLAN.
• D. port1-vlan and port2-vlan1 can be assigned in the same VDOM or to different VDOMs.

Answer: CD

Explanation:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-rules-about-VLAN-configuration-and-VDOM-interf https://kb.fortinet.com/kb/viewContent.do?externalId=FD30883

NEW QUESTION 2

In consolidated firewall policies, IPv4 and IPv6 policies are combined in a single consolidated policy. Instead of separate policies. Which three statements are true about consolidated IPv4 and IPv6 policy configuration? (Choose three.)

• A. The IP version of the sources and destinations in a firewall policy must be different.
• B. The Incoming Interfac
• C. Outgoing Interfac
• D. Schedule, and Service fields can be shared with both IPv4 and IPv6.
• E. The policy table in the GUI can be filtered to display policies with IPv4, IPv6 or IPv4 and IPv6 sources and destinations.
• F. The IP version of the sources and destinations in a policy must match.
• G. The policy table in the GUI will be consolidated to display policies with IPv4 and IPv6 sources and destinations.

Answer: BDE

NEW QUESTION 3

Which two statements about SSL VPN between two FortiGate devices are true? (Choose two.)

• A. The client FortiGate requires a client certificate signed by the CA on the server FortiGate.
• B. The client FortiGate requires a manually added route to remote subnets.
• C. The client FortiGate uses the SSL VPN tunnel interface type to connect SSL VPN.
• D. Server FortiGate requires a CA certificate to verify the client FortiGate certificate.

Answer: CD

Explanation:
Reference:
https://docs.fortinet.com/document/fortigate/6.2.9/cookbook/266506/ssl-vpn-with-certificate-authentication

NEW QUESTION 4

Which statement about the policy ID number of a firewall policy is true?

• A. It is required to modify a firewall policy using the CLI.
• B. It represents the number of objects used in the firewall policy.
• C. It changes when firewall policies are reordered.
• D. It defines the order in which rules are processed.

Answer: A

NEW QUESTION 5

What inspection mode does FortiGate use if it is configured as a policy-based next-generation firewall (NGFW)?

• A. Full Content inspection
• B. Proxy-based inspection
• C. Certificate inspection
• D. Flow-based inspection

Answer: D

NEW QUESTION 6

Refer to the exhibit.

An administrator is running a sniffer command as shown in the exhibit.
Which three pieces of information are included in the sniffer output? (Choose three.)

• A. Interface name
• B. Ethernet header
• C. IP header
• D. Application header
• E. Packet payload

Answer: ACE

Explanation:
Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=11186

NEW QUESTION 7

Which CLI command will display sessions both from client to the proxy and from the proxy to the servers?

• A. diagnose wad session list
• B. diagnose wad session list | grep hook-pre&&hook-out
• C. diagnose wad session list | grep hook=pre&&hook=out
• D. diagnose wad session list | grep "hook=pre"&"hook=out"

Answer: A

NEW QUESTION 8

Which CLI command allows administrators to troubleshoot Layer 2 issues, such as an IP address conflict?

• A. get system status
• B. get system performance status
• C. diagnose sys top
• D. get system arp

Answer: D

Explanation:
"If you suspect that there is an IP address conflict, or that an IP has been assigned to the wrong device, you may need to look at the ARP table."

NEW QUESTION 9

Refer to the exhibit, which contains a radius server configuration.

An administrator added a configuration for a new RADIUS server. While configuring, the administrator
selected the Include in every user group option.
What will be the impact of using Include in every user group option in a RADIUS configuration?

• A. This option places the RADIUS server, and all users who can authenticate against that server, into every FortiGate user group.
• B. This option places all FortiGate users and groups required to authenticate into the RADIUS server, which, in this case, is FortiAuthenticator.
• C. This option places all users into every RADIUS user group, including groups that are used for the LDAP server on FortiGate.
• D. This option places the RADIUS server, and all users who can authenticate against that server, into every RADIUS group.

Answer: A

Explanation:
Reference: https://docs.fortinet.com/document/fortigate/6.0.0/handbook/634373/authentication-servers

NEW QUESTION 10

View the exhibit.

A user behind the FortiGate is trying to go to http://www.addictinggames.com (Addicting Games). Based on this configuration, which statement is true?

• A. Addicting.Games is allowed based on the Application Overrides configuration.
• B. Addicting.Games is blocked on the Filter Overrides configuration.
• C. Addicting.Games can be allowed only if the Filter Overrides actions is set to Exempt.
• D. Addcting.Games is allowed based on the Categories configuration.

Answer: A

NEW QUESTION 11

FortiGuard categories can be overridden and defined in different categories. To create a web rating override for example.com home page, the override must be configured using a specific syntax.
Which two syntaxes are correct to configure web rating for the home page? (Choose two.)

• A. www.example.com:443
• B. www.example.com
• C. example.com
• D. www.example.com/index.html

Answer: BC

Explanation:
FortiGate_Security_6.4 page 384
When using FortiGuard category filtering to allow or block access to a website, one option is to make a web rating override and define the website in a different category. Web ratings are only for host names— "no URLs or wildcard characters are allowed".

NEW QUESTION 12

Which of the following are valid actions for FortiGuard category based filter in a web filter profile ui proxy-based inspection mode? (Choose two.)

• A. Warning
• B. Exempt
• C. Allow
• D. Learn

Answer: AC

NEW QUESTION 13

What is the limitation of using a URL list and application control on the same firewall policy, in NGFW policy-based mode?

• A. It limits the scope of application control to the browser-based technology category only.
• B. It limits the scope of application control to scan application traffic based on application category only.
• C. It limits the scope of application control to scan application traffic using parent signatures only
• D. It limits the scope of application control to scan application traffic on DNS protocol only.

Answer: B

NEW QUESTION 14

An administrator has configured a route-based IPsec VPN between two FortiGate devices. Which statement about this IPsec VPN configuration is true?

• A. A phase 2 configuration is not required.
• B. This VPN cannot be used as part of a hub-and-spoke topology.
• C. A virtual IPsec interface is automatically created after the phase 1 configuration is completed.
• D. The IPsec firewall policies must be placed at the top of the list.

Answer: C

Explanation:
In a route-based configuration, FortiGate automatically adds a virtual interface eith the VPN name (Infrastructure Study Guide, 206)

NEW QUESTION 15

By default, FortiGate is configured to use HTTPS when performing live web filtering with FortiGuard servers. Which CLI command will cause FortiGate to use an unreliable protocol to communicate with FortiGuard
servers for live web filtering?

• A. set fortiguard-anycast disable
• B. set webfilter-force-off disable
• C. set webfilter-cache disable
• D. set protocol tcp

Answer: A

Explanation:
Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD48294

NEW QUESTION 16

Refer to the exhibit.

The exhibit displays the output of the CLI command: diagnose sys ha dump-by vcluster. Which two statements are true? (Choose two.)

• A. FortiGate SN FGVM010000065036 HA uptime has been reset.
• B. FortiGate devices are not in sync because one device is down.
• C. FortiGate SN FGVM010000064692 is the primary because of higher HA uptime.
• D. FortiGate SN FGVM010000064692 has the higher HA priority.

Answer: AD

Explanation:
* 1. Override is disable by default - OK
* 2. "If the HA uptime of a device is AT LEAST FIVE MINUTES (300 seconds) MORE than the HA Uptime of the other FortiGate devices, it becomes the primary" The question here is : HA Uptime of FGVM01000006492 > 5 minutes? NO - 198 seconds < 300 seconds (5 minutes) Page 314 Infra Study Guide.
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/666653/primary-unit-selection-with-override-disab

NEW QUESTION 17

Which two inspection modes can you use to configure a firewall policy on a profile-based next-generation firewall (NGFW)? (Choose two.)

• A. Proxy-based inspection
• B. Certificate inspection
• C. Flow-based inspection
• D. Full Content inspection

Answer: AC

NEW QUESTION 18

Refer to the exhibits.


Exhibit A shows system performance output. Exhibit B shows a FortiGate configured with the default configuration of high memory usage thresholds. Based on the system performance output, which two statements are correct? (Choose two.)

• A. Administrators can access FortiGate only through the console port.
• B. FortiGate has entered conserve mode.
• C. FortiGate will start sending all files to FortiSandbox for inspection.
• D. Administrators cannot change the configuration.

Answer: BD

Explanation:
Reference: https://www.skillfulist.com/fortigate/fortigate-conserve-mode-how-to-stop-it-and-what-it-means/

NEW QUESTION 19

A network administrator is configuring a new IPsec VPN tunnel on FortiGate. The remote peer IP address is dynamic. In addition, the remote peer does not support a dynamic DNS update service.
What type of remote gateway should the administrator configure on FortiGate for the new IPsec VPN tunnel to work?

• A. Static IP Address
• B. Dialup User
• C. Dynamic DNS
• D. Pre-shared Key

Answer: B

Explanation:
Dialup user is used when the remote peer's IP address is unknown. The remote peer whose IP address is unknown acts as the dialup clien and this is often the case for branch offices and mobile VPN clients that use dynamic IP address and no dynamic DNS

NEW QUESTION 20

Which of the following statements about backing up logs from the CLI and downloading logs from the GUI are true? (Choose two.)

• A. Log downloads from the GUI are limited to the current filter view
• B. Log backups from the CLI cannot be restored to another FortiGate.
• C. Log backups from the CLI can be configured to upload to FTP as a scheduled time
• D. Log downloads from the GUI are stored as LZ4 compressed files.

Answer: AB

NEW QUESTION 21
......